Re: [Bro-Dev] Option -z
> If one > could express such analyses easily with a few lines of script code, > that would be quite powerful for doing script inspection that's also > easy to customize. Well sure, but it's not clear one can get to that point without some significant work under the hood anyway in terms of the features needed to make the script-level expression a few lines of code. Vern ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Option -z
On Thu, May 26, 2016 at 07:41 -0700, you wrote: > I wonder if they don't use it because it's not on their radar. It's > actually pretty handy, I see that in principle but hardcoding the functionality in C++-land doesn't seem to be the ideal way to go about things like this. If one could express such analyses easily with a few lines of script code, that would be quite powerful for doing script inspection that's also easy to customize. Robin -- Robin Sommer * ICSI/LBNL * ro...@icir.org * www.icir.org/robin ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Option -z
> Just removing this specific use > of finding NOTICEs, which doesn't seem anybody has been using in a > long time. I wonder if they don't use it because it's not on their radar. It's actually pretty handy, a way of telling when you think the set of NOTICEs should be X, but it's actually X'. Can help with writing documentation or finding dead code (of a form), or telling just what happens due to the hierarchy of @load's that a script pulls in. Vern ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Option -z
> On May 26, 2016, at 10:15 AM, Robin Sommerwrote: > > > > On Wed, May 25, 2016 at 20:56 -0700, you wrote: > >> Well it's there in CHANGES, per the appended. But yeah looks like it never >> went anywhere beyond the original instigation, so I think removing it is >> okay. > > Ah, I didn't realize this is what originally introduced the whole > traversal machinery. That infrastructure is used in a few places now, > and I'm not planing on touching that. Just removing this specific use > of finding NOTICEs, which doesn't seem anybody has been using in a > long time. > > Robin It also has a minor issue that prevents it from being more useful, it outputs AddressScan instead of the fully namespaced Scan::AddressScan -- - Justin Azoff ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Option -z
> Does anybody remember what Bro's option -z is for? Well it's there in CHANGES, per the appended. But yeah looks like it never went anywhere beyond the original instigation, so I think removing it is okay. OTOH, it's a pretty handy general notion, so instead pushing it further strikes me as also reasonable. Vern 0.9a8 Wed Feb 16 17:09:34 PST 2005 - Bro now has a geneal mechanism internal for traversing policy scripts (Umesh Shankar). Various script analyses can be specified using the new -z flag. Currently, the one supported form of analysis is "-z notice", which prints all of the different types of notices that the script you've loaded can generate. For example, "bro -z notice ftp" will generate: Found NOTICE: BackscatterSeen Found NOTICE: FTP_PrivPort Found NOTICE: FTP_BadPort Found NOTICE: PortScan Found NOTICE: FTP_ExcessiveFilename Found NOTICE: ScanSummary Found NOTICE: AddressDropped Found NOTICE: DroppedPackets Found NOTICE: SensitiveConnection Found NOTICE: FTP_UnexpectedConn Found NOTICE: SSH_Overflow Found NOTICE: FTP_Sensitive Found NOTICE: TerminatingConnection Found NOTICE: PasswordGuessing Found NOTICE: AddressDropIgnored Found NOTICE: AddressScan ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev